From 2db338f0826f2ce593e02cad670db056ead03d94 Mon Sep 17 00:00:00 2001
From: Nicolas Rodriguez <nico@nicoladmin.fr>
Date: Tue, 5 May 2026 09:33:04 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 1: Unsafe shell
 command constructed from library input

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 lib/grack/git.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/grack/git.rb b/lib/grack/git.rb
index 7bfc54a..6f1f775 100644
--- a/lib/grack/git.rb
+++ b/lib/grack/git.rb
@@ -42,7 +42,11 @@ def popen_env
     end
 
     def config_setting(service_name)
-      service_name = service_name.gsub('-', '')
+      service_name = service_name.to_s.gsub('-', '')
+      unless %w[uploadpack receivepack].include?(service_name)
+        raise ArgumentError, "Unsupported service name: #{service_name}"
+      end
+
       setting = config("http.#{service_name}")
 
       if service_name == 'uploadpack'
@@ -53,6 +57,11 @@ def config_setting(service_name)
     end
 
     def config(config_name)
+      config_name = config_name.to_s
+      unless /\Ahttp\.(uploadpack|receivepack)\z/.match?(config_name)
+        raise ArgumentError, "Unsupported config name: #{config_name}"
+      end
+
       execute(%W(config #{config_name}))
     end